Whatʼs new

The following sections describe the new features and enhancements:

• Proxy settings
• Policy and objects
• Security profiles
• Content analyses
• WAN optimization
• User and authentication
• System
• Security Fabric
• Log and report

Proxy settings

This section includes new features related to proxy settings:

• LDAP user cache
• New masquerade command for the isolator server
• Web proxy header expanded
• Increased size of the cache object
• Disabling IP-based URL rating
• HTTP domain fronting blocking
• Use the body of the HTTP POST method to control web access

LDAP user cache

You can now use the following CLI commands to control the LDAP user cache for explicit proxy and transparent proxy users:

config web-proxy global

set ldap-user-cache {enable | disable}

end

New masquerade command for the isolator server

You can now use the CLI to control whether the web proxy uses the device address to connect to the proxy server for the isolator server. By default, this feature is enabled.

config web-proxy isolator-server

edit <server_name>

set masquerade {enable | disable}

next

end

Web proxy header expanded

The set content command (under the config web-proxy profile command) was previously limited to 256 characters. The header content can now be as long as 512 characters.

Increased size of the cache object

Use the following CLI commands to set the maximum size of the cacheable object:

config webcache settings

set max-object-size <1-2147483>

end

Disabling IP-based URL rating

You can now disable IP-based URL rating for SSL-exemption and proxy-address objects. By default, IP-based URL rating is enabled. Use the following CLI commands:

config firewall ssl-ssh-profile

edit <name>

set ssl-exemption-ip-rating {enable | disable}

next

end

config web-proxy global

set address-ip-rating {enable | disable}

end

HTTP domain fronting blocking

You can now block HTTP domain fronting with the following commands:

config firewall profile-protocol-options

edit <name>

config http

set domain-fronting disable

end

next

end

Use the body of the HTTP POST method to control web access

You can now control access to web services based on login information. Use the new set post-arg command:

config firewall proxy-address

edit <name>

set post-arg {enable | disable}

next

end

For example:

config firewall proxy-address

edit "xaddr-url-user"

set host "all"

set path "/t"

set query "username=.*&"

set post-arg enable

next

end

Policy and objects

This section includes new features related to policies and objects:

• New pass-through policy
• Export policy list to CSV and JSON formats

New pass-through policy

There is a new option to define a policy as a pass-through policy. When traffic matches a pass-through policy, the firewall continues to the next policy. After FortiProxy tries to match all policies, it will set the last matched pass-through policy as the matched policy. By default, the pass-through option is disabled.

To enable a pass-through policy in the GUI:

1. Go to Policy & Objects > Policy.
2. Create a new policy or edit an existing policy.
3. Enable Enable Policy Matching Pass Through.
4. Configure the remaining settings as needed.
5. Click OK.

To control a pass-through policy in the CLI:

config firewall policy

edit <policy_ID>

set pass-through {enable | disable}

next

end

Export policy list to CSV and JSON formats

In the Policy list page, users can export the current view to CSV and JSON formats.

To export the policy list to a CSV or JSON file:

1. Go to Policy & Objects > Policy.
2. In the toolbar above the list, click Export.
3. Select CSV or JSON.

   

   The file is automatically downloaded.

Security profiles

This section includes new features related to security profiles:

• Client authentication with client certificate for Original Content Server

Client authentication with client certificate for Original Content Server

Clients can now use a client certificate for authentication on behalf of the Original Content Server. Use the following CLI commands:

config firewall ssl-ssh-profile

edit <profile_name>

config ssl-client-certificate

set status <*do-not-offer | keyring-list | ca-sign>

set keyring-list <keyring_list_used_to_find_client_certificate>

set caname <CA_certficate_used_to_sign_client_certificate>

end

next

end

config firewall ssl keyring-list

edit <keyring_list_used_to_find_client_certificate>

set uuid <UUID>

next

end

Content analyses

This section includes new features related to content analyses:

• X-Scan-Progress-Interval header supported in the FortiProxy ICAP client
• Timeout configuration available for the FortiProxy ICAP client
• ICAP load balancing available in the GUI
• ICAP scanning supported for FTP

X-Scan-Progress-Interval header supported in the FortiProxy ICAP client

You can now use the CLI to specify that the X-Scan-Progress-Interval header is used in the FortiProxy ICAP client and specify the scan progress interval value:

config icap profile

edit <profile_name>

set response {enable | disable}

set response-server <name_of_ICAP_server>

set response-path <HTTP_response_processing_service>

set extension-feature scan-progress

set scan-progress-interval <5-30 seconds (default is 10)>

next

end

Timeout configuration available for the FortiProxy ICAP client

You can now use the CLI to configure the number of seconds that the ICAP client waits for a response from the ICAP server:

config icap profile

edit <profile_name>

set timeout <30-3600 seconds (default is 30)>

next

end

ICAP load balancing available in the GUI

You can now configure ICAP load balancing in the GUI:

1. Go to Content Analyses > ICAP Load Balancing.
2. Click Create New.
3. Enter a name for the ICAP load-balancing configuration.
4. Select the load-balancing method:
   • Weighted—Balance the traffic load to ICAP servers based on the assigned weights.
   • Least Session—Send new sessions to the ICAP server with the lowest session count.
   • Active Passive—Send new sessions to the active ICAP server with the highest weight.
5. To create a server list for load balancing, click Create New.
6. Select or create a remote server.
7. Enter a weight for the remote server.
8. Click OK to save the remote server entry.
9. Click OK save your ICAP load-balancing configuration.

ICAP scanning supported for FTP

NOTE: The ICAP profile must be configured in the CLI before it is used in the GUI.

To forward transferred files with FTP to the ICAP server for further processing using the GUI:

1. Configure the ICAP remote server:

   1. Go to Content Analyses > ICAP Remote Server.

   2. Create a new configuration for an ICAP server or edit an existing configuration.

   3. Click OK.

2. Create an ICAP profile that references the ICAP remote server:

   1. Go to Content Analyses > ICAP Profile.

   2. Click Create New.

   3. In the FTP section, click FTP.

   4. From the Server dropdown, select the ICAP server to use for the file transfer.

   5. Click Error or Bypass for the action to take if the ICAP server cannot be contacted when processing a file transfer.

   6. In the Path field, enter the path of the file transfer processing service.

   7. Configure the remaining settings as needed.

   8. Click OK to save the ICAP profile.

3. Create an explicit FTP proxy policy that uses the ICAP policy:

   1. Go to Policy & Objects > Policy.

   2. Click Create New.

   3. Select FTP in the Type dropdown.

   4. Enable ICAP and select the ICAP profile that references the ICAP remote server.

   5. Enable Enable this policy.

   6. Configure the remaining settings as needed.

   7. Click OK.

To forward transferred files with FTP to the ICAP server for further processing using the CLI:

1. Configure the ICAP remote server:

   config icap server

   edit <name_of_ICAP_server>

   set ip-version {4 | 6}

   set ip-address <IPv4_address_of_ICAP_server>

   set ip6-address <IPv6_address_of_ICAP_server>

   set port <ICAP_server_port>

   set max-connections <1-65535>

   set secure {enable | disable}

   next

   end

   For example:

   config icap remote-server

   edit "icap1"

   set ip-address 172.18.20.43

   next

   end

2. Create an ICAP profile that references the ICAP remote server:

   config icap profile

   edit {<ICAP_profile_name>new | default}

   set replacemsg-group <replacement_message_group>

   set request {disable | enable}

   set response {disable | enable}

   set file-transfer ftp

   set file-transfer-server <remote_server_name>

   set file-transfer-failure {error | bypass}

   set file-transfer-path <string>

   set streaming-content-bypass {disable | enable}

   set allow-204-response {disable | enable}

   set preview {disable | enable}

   set methods {delete | get | head | options | post | put | trace | other}

   set icap-block-log {disable | enable}

   set chunk-encap {disable | enable}

   set extension-feature scan-progress

   set timeout {30-3600}

   set preview-data-length <0-4096>

   set request-server <ICAP_server>

   set response-server <ICAP_server>]

   set request-failure {error | bypass}

   set response-failure {error | bypass}

   set request-path <string>

   set response-path <string>

   set response-req-hdr {disable | enable}

   set respmod-default-action {forward | bypass}

   next

   end

   For example:

   config icap profile

   edit "new1"

   set request enable

   set response enable

   set file-transfer ftp

   set request-server "icap1"

   set response-server "icap1"

   set file-transfer-server "icap1"

   set request-path "test"

   set response-path "test"

   set file-transfer-path "test"

   next

   end

3. Create an explicit FTP proxy policy that uses the ICAP policy:

   config firewall policy

   edit <policy_ID>

   set type explicit-ftp

   set status enable

   set name <policy_name>

   set uuid <UUID>

   set dstintf <interface_name>

   set srcaddr <address_name>

   set dstaddr <address_name>

   set srcaddr6 <address_name>

   set dstaddr6 <address_name>

   set action {accept | deny}

   set schedule {<schedule_name} | always | none}

   set ztna-ems-tag <address_name>

   set ztna-tags-match-logic {or | and}

   set internet-service {enable | disable}

   set pass-through {enable | disable}

   set internet-service-name <Internet_service_name>

   set logtraffic {all | utm | disable}

   set logtraffic-start {enable | disable}

   set groups <group_name>

   set users <user_name>

   set comments <string>

   set replacemsg-override-group <string>

   set srcaddr-negate {enable | disable}

   set dstaddr-negate {enable | disable}

   set max-session-per-user <0-4294967295>

   set profile-group <profile_group_name>

   set profile-protocol-options <profile_name>

   set ssl-ssh-profile <profile_name>

   next

   end

   For example:

   config firewall policy

   edit 3

   set type explicit-ftp

   set uuid 9b932658-3214-51ec-f906-09ea9dd7e6dd

   set dstintf "port1"

   set srcaddr "all"

   set dstaddr "all"

   set action accept

   set schedule "always"

   set utm-status enable

   set logtraffic all

   set ssl-ssh-profile "certificate-inspection"

   set av-profile "fai"

   set icap-profile "new1"

   next

   end

WAN optimization

This section includes new features related to WAN optimization:

• TLS 1.3 supported for WAN optimization
• Tracking WAD memory

TLS 1.3 supported for WAN optimization

WAN optimization now supports TLS 1.3.

Tracking WAD memory

Use the following command to check how much memory has been allocated for the WAN-optimization daemon (WAD):

diagnose wad memory track [<mem-id>]

User and authentication

This section includes new features related to users and authentication:

• SAML features improved

SAML features improved

The following SAML features have been improved:

• You can now use external browser SAML authentication.
• Clock-skew tolerance is now supported.
• Error messages have been improved.

System

This section includes new features related to system:

• Disable weak ciphers in the HTTPS protocol

Disable weak ciphers in the HTTPS protocol

Administrators can select what ciphers to use for TLS 1.3 in administrative HTTPS connections and what ciphers to ban for TLS 1.2 and below.

To select the ciphers to use for TLS 1.3 and ban for TLS 1.2 and lower:

config system global
    set admin-https-ssl-ciphersuites {TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256 TLS-AES-128-CCM-SHA256 TLS-AES-128-CCM-8-SHA256}
    set admin-https-ssl-banned-ciphers {RSA DHE ECDHE DSS ECDSA AES AESGCM CAMELLIA 3DES SHA1 SHA256 SHA384 STATIC CHACHA20 ARIA AESCCM}
end

admin-https-ssl-ciphersuites {TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256 TLS-AES-128-CCM-SHA256 TLS-AES-128-CCM-8-SHA256}	Select one or more TLS 1.3 cipher suites to enable. Ciphers in TLS 1.2 and below are not affected. At least one must be enabled. To disable all, remove TLS1.3 from admin-https-ssl-versions. TLS-AES-128-CCM-SHA256 and TLS-AES-128-CCM-8-SHA256 are only available when strong-crypto is disabled.
admin-https-ssl-banned-ciphers {RSA DHE ECDHE DSS ECDSA AES AESGCM CAMELLIA 3DES SHA1 SHA256 SHA384 STATIC CHACHA20 ARIA AESCCM}	Select one or more cipher technologies that cannot be used in GUI HTTPS negotiations. Only applies to TLS 1.2 and below.

To test connecting from a PC using one of the cipher suites:

1. Disable strong-crypto and select all five cipher suites:

   config system global
       set admin-https-redirect disable
       set admin-https-ssl-ciphersuites TLS-AES-128-GCM-SHA256 TLS-AES-256-GCM-SHA384 TLS-CHACHA20-POLY1305-SHA256 TLS-AES-128-CCM-SHA256 TLS-AES-128-CCM-8-SHA256
       set strong-crypto disable
   end

2. Connect from a PC using TLS_AES_128_CCM_SHA256:

   ~$ openssl s_client -connect 172.16.200.101:443 -tls1_3 -ciphersuites TLS_AES_128_CCM_SHA256
   CONNECTED(00000005)
   Can't use SSL_get_servername
   depth=0 O = Fortinet Ltd., CN = FortiGate
   ...
   ---
   New, TLSv1.3, Cipher is TLS_AES_128_CCM_SHA256
   Server public key is 2048 bit
   ....

3. Enable strong-crypto:

   config system global
       set strong-crypto enable
   end
   TLS cipher suite 'TLS-AES-128-CCM-SHA256' can not be supported so removed.
   TLS cipher suite 'TLS-AES-128-CCM-8-SHA256' can not be supported so removed.

4. Try to connect from the PC again using TLS_AES_128_CCM_SHA256:

   ~$ openssl s_client -connect 172.16.200.101:443 -tls1_3 -ciphersuites TLS_AES_128_CCM_SHA256
   CONNECTED(00000005)
   139694547268800:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:../ssl/record/rec_layer_s3.c:1528:SSL alert number 40
   ---
   no peer certificate available
    ---
   No client certificate CA names sent
   ---
   SSL handshake has read 7 bytes and written 211 bytes
   Verification: OK
   ---
   New, (NONE), Cipher is (NONE)
   Secure Renegotiation IS NOT supported
   ....

   The connection fails because TLS_AES_128_CCM_SHA256 is not supported when strong-ctrypo is enabled.

Security Fabric

This section includes new features related to the Security Fabric:

• FortiAI integration
• Support new external resource type for URL lists

FortiAI integration

FortiAI can now be added to the Security Fabric.

To add FortiAI to the Security Fabric in the GUI:

1. Go to System > Settings.
2. In the FortiAI section, enable Status.
3. Click Apply.
4. Go to Security Fabric > Fabric Connectors.
5. Double-click Security Fabric Setup to enable the Security Fabric and configure the interface to allow other Security Fabric devices to join.
6. Click OK.

7. In FortiAI, configure the device to join the Security Fabric:

   1. Go to Security Fabric > Fabric Connectors and double-click the connector card.

   2. Enable Enable Security Fabric.

   3. Enter the FortiProxy root IP address and the FortiAI IP address.

   4. Click OK.

8. Authorize FortiAI in FortiProxy:

   1. Go to Security Fabric > Fabric Connectors.

   2. In the topology tree in the rightmost pane, click the highlighted FortiAI serial number and click Authorize.

      The authorized device appears in the topology tree. Hover over the device name to view the tooltip.

      The Security Fabric widget on the dashboard also updates when the FortiAI is authorized.

   3. Click OK.

To add a Fabric Device widget for FortiAI:

1. Go to Dashboard > Status and click Add Widget.

2. In the Security Fabric section, click the + beside Fabric Device.

3. For Device, select the FortiAI device.

4. Select a Widget name and Visualization type from the dropdowns.

5. Click Add Widget and click Close.
   The Fabric Device widget is displayed in the dashboard.

To add FortiAI to the Security Fabric in the CLI:

1. Configure the interface to allow other Security Fabric devices to join:

   config system interface
   	edit "port1"
   		...
   		set allowaccess ping https ssh http fgfm fabric
   		...
   	next
   end

2. Configure the Security Fabric:

   config system csf
   	set status enable
   	set group-name "FortiAI"
   	set group-password ********
   	config trusted-list
   		edit "FAIVMSTM21000000"
   			set authorization-type certificate
   			set certificate "****************"
   		next
   	end
   end

3. In FortiAI, configure the device to join the Security Fabric:

   config system csf
   	set status enable
   	set upstream-ip 172.18.64.122
   	set managment-ip 172.18.64.114
   end

4. In FortiProxy, enable FortiAI:

   config system fortiai	
   	set status enable
   end

Support new external resource type for URL lists

You can now create and use lists of external URLs. The URL list is a plain text file with one URL on each line.

To specify external URL lists in the GUI:

1. Go to Security Fabric > External Connectors.
2. Click Create New.
3. Under Threat Feeds, click URL List.
4. In the Name field, enter a name for the URL list.
5. In the URL of external resource field, enter the Uniform Resource Identifier (URI) of the URL list.
6. If you enable HTTP basic authentication, enter the user name and password.
7. In the Refresh Rate field, enter the number of minutes before the URL list is refreshed.
8. In the Comments field, enter a description of the URL list.
9. Make certain that Status is enabled.
10. Click OK.

To specify external URL lists in the CLI:

1. Specify the URL list as an external resource:

   config system external-resource

   edit <external_resource_name>

   set type url

   set resource <URI_of_URL_list>

   set username <user_name_for_HTTP_basic_authentication>

   set password <password_for_HTTP_basic_authentication>

   set refresh-rate <1-43200 minutes>

   set comments <string>

   set status enable

   next

   end

   For example:

   config system external-resource

   edit "user-list1"

   set type url

   set resource "http://172.16.80.129/byte1.txt"

   next

   end

2. Create a web proxy address that uses the URL list:

   config firewall proxy-address

   edit "<address_name>

   set type url-list

   set host {all | none | <string>}

   set url-list <external_URL_list>

   next

   end

   For example:

   config firewall proxy-address

   edit "xaddr-list"

   set type url-list

   set host all

   set url-list "user-list1"

   next

   end

Log and report

This section includes new features related to logs and reports:

• ICAP group and user reported in logs
• Web filter log contains more information about HTTP traffic

ICAP group and user reported in logs

The ICAP server now reports the group name and user name in the data leak prevention (DLP), antivirus, web filter, and scan unit error logs when an ICAP request meets the blocking criteria.

Web filter log contains more information about HTTP traffic

The web filter log now contains the following information:

• How long it takes to scan the HTTP request
• Client request host header
• Client request host inside of the request line
• Server response code